Attackers Abuse UPnP Devices to launch DDoS Attacks

Security Researchers at Akamai Technologies issued a warning that (SSDP) Simple Service Discovery Protocol – which is part of the (UPnP) Universal Plug and Play protocol standard is being abused by Attackers to carry out reflection (DDoS) distributed denial-of-service attacks.

(SSDP) The Simple Service Discovery Protocol is part of the UPnP protocol standard and comes enabled on millions of networked devices (such as Routers/Wifi access points, Computers, Smart Tvs, Webcams, printers etc) to allow them to discover each other and establish communication for data sharing, media playback control, media streaming etc.

Over 4.1 Million Devices are Vulnerable

As part of its research, PLXsert at Akamai found 4.1 million Internet-facing UPnP devices that can be used in reflection DDoS attack. PLXsert also identified that python scripts are being used to scan for UPnP-enabled devices that reply to an initial discovery packet request and turn those devices into reflectors for distributed denial-of-service attacks DDoS attacks. The majority of the targets of the SSDP attacks have been detected in the education (21.4 percent), entertainment (28.6 percent) and payment processing (21.4 percent) sectors.

“Malicious attackers are using this new attack vector to perform large-scale DDoS attacks. The number of UPnP devices that will behave as open reflectors is vast, and many of them are home-based Internet-enabled devices that are very difficult to patch.” said Stuart Scholly, senior vice president and general manager of the Security Business Unit at Akamai.

Vulnerability in UPnP Used In DDoS Attack

“The rise of reflection attacks involving UPnP devices in an example of how afluid and dynamic the DDoS crime ecosystem can be in identifying, developing and incorporating new resources and attack vectors into its arsenal,” the advisory states. “Further development and refinement of attack payloads and tools is likely in the near future.”

Attackers also found that (SOAP) Simple Object Access Protocol is used to deliver control messages to UPnP devices and pass information requests “can be crafted to elicit a response that reflects and amplifies a packet, which can be redirected towards a target,” according to the security advisory.